Incident Response > [T3]: Lab - RITA: Detect DNS tunneling

Detect DNS tunneling

Attackers use this method to communicate back and forth with their C2 or exfiltrate data, and that is because DNS traffic is usually allowed traffic through edge firewalls.

This demo will show us how to use RITA to detect C2 communication over the DNS channel.

Open your terminal, head to ~/Desktop/CCD/RITA/pcap, then execute the below commands to convert the PCAP into Zeek log format:

  • cd ~/Desktop/CCD/RITA/pcap
  • mkdir dnscat2_logs
  • cd dnscat2_logs/
  • zeek -r ../dnscat2_dns_tunneling_24hr.pcap local
  • cd ..


This step may take some time, depending on your system, but you should see something similar to the below screenshot when it ends.


That will result in creating 13 different Zeek log files located in ~/Desktop/CCD/RITA/pcap/dnscat2_logs

 

We need to import those generated logs into RITA DB for analysis. Go ahead and execute:

sudo rita import dnscat2_logs dnscat2 

This step will take some time to analyze all exploded DNS traffic.

Now we can use RITA to get the queried FQDNs and inspect DNS traffic. Open up your terminal and execute the following:

sudo rita show-beacons-fqdn dnscat2 -H

sudo rita show-exploded-dns dnscat2 -H | more

As you can see, there is a massive amount of DNS queries towards cisco-update[.]com and not even a single HTTP request to the same domain, which is a good indicator of something fishy.

To dig deeper, we can grep all DNS traffic for the mentioned domain, and to do this, go ahead and execute:

sudo rita show-exploded-dns dnscat2 | grep cisco-update.com

You can see multiple DNS requests to the same second-level domain with a randomly generated subdomain to the C2 server.

← Prev Dashboard Next →